Data Privacy Compliance Series: What Engineering and IT Leaders Need to Know
A Guide to COPPA Compliance When Using Third-Party APIs
As an engineering or IT leader, it’s critical to be aware of the data privacy and compliance requirements that come along with third-party API usage under the Children’s Online Privacy Protection Act (COPPA). If children aren’t your primary audience, you may not think COPPA applies to your business at first glance – but read on to learn how COPPA could be relevant to you and the easiest way to protect against potential violations.
What COPPA Is
COPPA is a federal law designed to give parents of young children (13 years old or younger) control over data collected from their children online.
What It Protects
COPPA protects any personally identifying information (like full name, address, contact information, geolocation information, screen names, etc.) about children under the age of 13. The law also applies to children outside of the U.S.
Why It Matters to You If You’re Consuming APIs
You are subject to COPPA if your website, business or app is either directed at children under 13 (like a children’s game or the website of a children’s movie) or collects and/or shares personal information from children under 13. (You can find more information about how to determine whether your business is directed at children here). So, even if your website targets a more general audience, but you have knowledge that you may collect or share data from children under 13, you’ll need to comply with COPPA.
When it comes to APIs, COPPA requires you to verify that third parties with whom you share personal information have reasonable practices for maintaining confidentiality and security and for preventing unauthorized use of children’s information.
The penalty for not complying with COPPA can be a $16,000 - $40,000 fine per child affected by the violation.
What You Need to Provide for Your Customers
- The ability to consent. Under COPPA, anyone collecting information from children under 13 needs to get consent from a child’s parent before any information is collected.
- The ability to specify how data is used. Parents have the right to consent to data collection for a website or business’s internal use only and prohibit the sale or sharing of the information to third parties, like APIs.
- A record of information that has been collected about a child upon request of the parents, who can review these records or have them deleted at any time.
What COPPA Requires of Your Business
Three Things You’ll Need to (Easily) Comply with COPPA
It’s critical to keep clear records of what data and information your business is collecting. If your business is directed at children under 13, these records will help you easily share or delete information upon a parent’s request and ensure that information is deleted when it is no longer necessary to retain. Further, if your business is not directed at children under 13, having clear visibility into what data you are collecting and sharing will help you verify that you either are not collecting information from children or that you do need to take steps to become COPPA-compliant.
- Data Policy Controls.
Setting up automated data controls will help you ensure that you are complying with parents’ requests to prohibit data sharing with third parties and that each piece of data is only being shared or stored according to COPPA requirements and parental requests.
Ongoing monitoring means you’ll be alerted immediately in the event of a possible COPPA violation. It’s a good idea even for companies that do not target children under 13 to monitor all data collection and sharing in the event that information is collected from a child or is mistakenly shared.
Hoss lets you track, tag and monitor all of your data processing activities with third-party APIs to help you protect your customers’ privacy and stay compliant with the CCPA as simply as possible. Get in touch to learn more.